Recently I was contacted by Toptal to join their network as a developer. I heard some good stuff about them before so I decided to give it a go. Toptal is "a network comprised of the most thoroughly screened, talented freelance engineers in the world". To enter the network you have to pass 4 tests. The first one is an interview - a simple English test, the second one is Codility test. The third one is a one-to-one test with a senior developer from the network when you need to solve two problems at limited time. And the last one is to create a full application.

Anyway, I am not going to talk about Toptal, rather than the project they gave me to do as the last part of the screening process. The full text of the project as well as the solution you can find on my GitHub. In this post I will only go through the main things and make some general remarks how development should be done and what you should pay attention, I won't cover every detail because there is too much code. For all the details you have code on GitHub.

Authentication

Since I needed to create API with every operation done using JavaScript I decided to use Angular to create a SPA. And since there is an API and SPA I decided to authenticate users using tokens. I didn't want to use Devise since the basic gem doesn't offer token authentication and then you need to add some other gem to be able to do that so I decided to use so called JWT (JSON web token). More about that technology you can find here.

Token generation, encoding and decoding is very simple using existing ruby gem. Only thing you need to do is gather everything in a whole. The general idea when user needs to be authenticated is to generate an API call with the parameters of email and password. If it turns out that this is the valid user, the token is being generated and returned to the user as a JSON response. That response also contains a data what user it is (user_id). The whole token is saved in the browser's local storage. Instead, a token can be stored in a cookie (therefore cookie is used as a storage), more about that you can find on this link.

Then, each time the client sends a request to the API, the token is being added to the header of that request. To do this, an interceptor is created on Angular side which intercepts each request and does this part of the job.

On the API side, the token is being extracted from the header of that request and checked whether it is valid (the expiration time is being set on the token). If it is valid than user_id is being used to get data for current_user. If token is invalid or there isn't any token, API returns http code 401 - which prevents unauthorized access to the API if someone is not authenticated...

Authoriza﻿tion

Authorization is certainly another important thing in every application but unfortunately it is something that is not paying too much attention. Of course, everyone has their own idea of how authorization should be implemented and I don't think there is any general best practice but I think that this approach, which I applied here, is more than good. It is necessary to do authorization on the API side and also in the web application. On API side because calls can be directed only to an API without any application involved and within application users without enough permissions should be forbidden access to the certain parts of the application as well as the forms for inserting new data.

I defined three types of user in the application - regular user, admin and user manager. A regular user has permission to only list her expenses and to create them, user manager has the right to list all the users in the application, edit them and create a new one, admin has the right to create expenses for herself and to list and edit expenses of all users in the system as well as to create new and edit existing users.

- Api

I didn't want to use Cancancan or Pundit or similar gems because I wanted to save myself some time and the authorization on the API is more than simple. All you have to do is to create a before_action filter and each controller then has to define who has the right to access the actions within it. If someone doesn't have permissions then you need to return http code :forbidden. This of course can't be tested in the application but there are tests you can write to check if everything is fine.

moduleApiclassUsersController<Api::BaseControllerbefore_action:is_authorized?privatedefis_authorized?if@current_user.is_regularrenderjson:{error:"Doesn't have permissions"},status::forbiddenreturnendendendend

- Angular

Angular part is a little more complex... First you should remove links from menu if certain user doesn't have permissions and then you should also disable the possibility for the same users to manually enter routes in the browser, which would allow them to visit those pages. It is pretty much easy to disable links in the menu but to do the other part you need to put some more effort in it. The most important part can be found in the file angular/services/auth.coffee:

I think this is more than elegant solution for authorization. The whole code you can find on GitHub as I mentioned before.

Rails API

When you set up the basics of the application with authentication and authorization then you must set up the API part of the Rails. There is an excellent RailsCast about it and many tutorials online so I won't go into details. Of course, you can use Grape instead of Rails but I decided to stick with Rails because I've never before worked with Grape and I wanted to save time on this part too. The thing you have to keep in mind are the routes and the fact that each API call must return JSON response. You can use active model serializer or Jbulder or you can even go without that of course. But I used Jbulder because you definitely need an easy way to properly create JSON you want to return to the user that made the request. Again I have to mention that you have a great RailsCast episode how to use Jbuilder so I won't write on this topic further.

Angular app

This was a new ground for me, I've never built a SPA before but for two weeks how long did this project last I am very satisfied with what I've achieved. There are several ways to integrate your Rails API with Angular application. Again I chose the simplest option, although probably not the best. I used Angular gem. I think that in a bigger project the best way is to completely separate API part of its SPA part and not use this gem but in this situation it served the purpose really well.

I won't post pieces of the code here because you have a whole project on GitHub, but I would like to note that I used Slim for making templates, CoffeeScript instead of a plane JavaScript because I like cleaner code and I used Bootstrap too. I made a couple of filters in order to extract information about date and time from the column in the database that stores datetime together for nicer display. Everything else is pretty straightforward.

Timezone

The part of the project that I had the most headache is the part with printing data for expenses arranged by weeks. Why was this such a big problem? As I wrote in a previous blog post, it's very important how you work with time zones in your application. The best practice is to store everything in UTC time in the database. When a user enters a date and time in the form (her local time) you have to store that time in the UTC format in the database and then when you need to display that time to the user you have to convert it back into her local time. Pretty standard stuff... Except for one little thing - the requirement is to display expenses arranged by weeks and by weeks it's meant from the user's perspective. From user's perspective a week isn't the same as a week on the server which is in UTC time. So, you have to deal with UTC time because you have to prepare JSON response in your API but in the same time you have to deal with user's local time (starting and ending of the week) and arrange JSON response according to that. If a user is, for example, in Belgrade (CET) and if she inserts an expense for Monday, July 27th at 1 AM it would be 31st week of the year according to her. But by the server's time, it is Sunday July 26th at 11 PM, which means it is 30th week for the UTC time. I solved this problem by sending time zone offset as a parameter to the API and by adding it to a time I stored in the database. You must also pay attention to the edge cases when you calculate weeks when start of a week is in one year and its ending is in the next year.

TestS

Last but not least - tests! Writing tests is very important and you shouldn't neglect it even if you have tight deadline. I did lot more here than it was expected from me but unfortunately I didn't have time to write tests for JavaScript, but the procedure is pretty standard... I used Factory Girl and Faker to create data and also Database Cleaner to clean data after running tests.

Next, you should write unit tests - tests for models, since this is not a big database there is only two models to test, user and expense:

require'rails_helper'describeExpensedoit'has a valid factory'doexpect(build(:expense)).tobe_validendit'is invalid without an amount'doexpect(build(:expense,amount:nil)).to_notbe_validendit'is invalid without a description'doexpect(build(:expense,description:nil)).to_notbe_validendit'is invalid without a time'doexpect(build(:expense,for_timeday:nil)).to_notbe_validendit'is invalid with a time set in the future'doexpect(build(:expense_future)).to_notbe_validendit'should belong to a user'doexpense=build(:expense)user=build(:user)expense.user=userexpect(expense.user).tobeuserendend

And finally functional tests - for testing your controllers. I am especially proud of this part of the application since I covered entire API - authentication, authorization as well as creating expenses, users and so on...

require'rails_helper'describeAuthControllerdo# because of the jBuilder I need to render viewsrender_viewsdescribe'POST #register'docontext'with valid credentials'doit'returns user id'do#build a user but does not save it into the databaseuser=build(:user_regular)post:register,{email:user.email,password:user.password,format::json}expect(response.status).toeq200parsed_response=JSON.parseresponse.bodyexpect(parsed_response['user']['id']).to_notbe_nilendendcontext'with invalid credentials'doit'does not have email'dopost:register,{password:"pass",format::json}expect(response.status).toeq401parsed_response=JSON.parseresponse.bodyexpect(parsed_response['errors']).to_notbe_nilexpect(parsed_response['errors']['email'][0]).toeq"can't be blank"endit'does not have password'dopost:register,{email:"email@email.com",format::json}expect(response.status).toeq401parsed_response=JSON.parseresponse.bodyexpect(parsed_response['errors']).to_notbe_nilexpect(parsed_response['errors']['password'][0]).toeq"can't be blank"endendenddescribe'POST #authenticate'docontext'with valid credentials'doit'returns token'douser=create(:user_regular)post:authenticate,{email:user.email,password:user.password,format::json}expect(response.status).toeq200parsed_response=JSON.parseresponse.bodyexpect(parsed_response['token']).to_notbe_nilendit'returns token with 3 parts separated by comas'douser=create(:user_regular)post:authenticate,{email:user.email,password:user.password,format::json}expect(response.status).toeq200parsed_response=JSON.parseresponse.bodyexpect(parsed_response['token'].split('.').count).toeq3endit'returns first name and last name of the user'douser=create(:user_regular)post:authenticate,{email:user.email,password:user.password,format::json}expect(response.status).toeq200parsed_response=JSON.parseresponse.bodyexpect(parsed_response['user']['first_name']).toequser.first_nameexpect(parsed_response['user']['last_name']).toequser.last_nameendendcontext'with invalid credentials'doit'does not return token'douser=create(:user_regular)post:authenticate,{email:"no_"+user.email,password:user.password,format::json}expect(response.status).toeq401endendenddescribe'POST #token_status'docontext'with valid token'doit'returns OK code'douser=create(:user_regular)token=AuthToken.issue_token({user_id:user.id})post:token_status,{token:token,format::json}expect(response.status).toeq200endendendend

The end

If you are a great developer and you want to try yourself to do some similar project, and if you want to work for the Toptal as a freelance developer, to fulfill your dreams to work from home or some exotic island you can sign up here, I enjoyed participating in such a process of selection of candidates.